Re: [COSE] 802.1AR example
Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 07 November 2023 14:26 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7239C1CAFE0 for <cose@ietfa.amsl.com>; Tue, 7 Nov 2023 06:26:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBmDPrZaVyET for <cose@ietfa.amsl.com>; Tue, 7 Nov 2023 06:26:02 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BA33C1CB00F for <cose@ietf.org>; Tue, 7 Nov 2023 06:26:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id D700262745; Tue, 7 Nov 2023 09:25:21 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id fKLDL8iUy7oN; Tue, 7 Nov 2023 09:25:03 -0500 (EST)
Received: from [31.133.130.92] (dhcp-825c.meeting.ietf.org [31.133.130.92]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id B0EB562434; Tue, 7 Nov 2023 09:25:01 -0500 (EST)
Content-Type: multipart/alternative; boundary="------------q9EFsEtvCIVjOCHo5x4drUCL"
Message-ID: <01871fc1-d1cc-475b-9d28-3714710abe28@htt-consult.com>
Date: Tue, 07 Nov 2023 09:25:38 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Esko Dijk <esko.dijk@iotconsultancy.nl>, Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>, "cose@ietf.org" <cose@ietf.org>
References: <f91e0cf2-ddde-4567-ae03-47b08911f8e6@htt-consult.com> <f776ea81-e89b-49a3-b8a3-7dc8ecdd6f4d@htt-consult.com> <PAXPR07MB884402AAD0D9587CF11469E9F4A9A@PAXPR07MB8844.eurprd07.prod.outlook.com> <GV1P190MB1970C3A461427E7597FD777EFDA9A@GV1P190MB1970.EURP190.PROD.OUTLOOK.COM>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
In-Reply-To: <GV1P190MB1970C3A461427E7597FD777EFDA9A@GV1P190MB1970.EURP190.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/P24yrdejE2TKi35hsUR6mj1cFaQ>
Subject: Re: [COSE] 802.1AR example
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 14:26:04 -0000
On 11/7/23 09:13, Esko Dijk wrote: > > Hi Göran, > > In case it’s useful: there’s more X.509 examples including one IDevID > in our draft: > https://datatracker.ietf.org/doc/html/draft-ietf-anima-constrained-voucher#appendix-C.2 > > (For the IDevID, the “NotAfter” field wasn’t set to the max value > because I couldn’t easily get OpenSSL to do this. In C509 this should > become the ‘null’ value actually.) > It is not too hard. Just hard enough. I got it working. After a month of conversations back in '18 on the open-ssl list. > It’s not a real device example, but a best-effort approximation of the > 802.1AR standard. > > Esko > > *From:*COSE <cose-bounces@ietf.org> *On Behalf Of *Göran Selander > *Sent:* Tuesday, November 7, 2023 14:34 > *To:* Robert Moskowitz <rgm-sec@htt-consult.com>; cose@ietf.org > *Subject:* Re: [COSE] 802.1AR example > > Thanks, Bob! > > I wasn’t clear in the meeting what we have and what we may be missing. > > In section A.2 of C509 > (https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-07#name-example-ieee-8021ar-profile) > we are referring to section A.2 / C.2 in RFC 9148, which has similar > certificates to the once you just sent. Very similar indeed, they are > also made with your script 😊. > > The open issue was whether we should go with these or try to find > deployed IDevID certificates from some device. > > Let’s continue the discussion offlist! > > Göran > > *From: *COSE <cose-bounces@ietf.org> on behalf of Robert Moskowitz > <rgm-sec@htt-consult.com> > *Date: *Tuesday, 7 November 2023 at 13:55 > *To: *cose@ietf.org <cose@ietf.org> > *Subject: *Re: [COSE] 802.1AR example > > > > On 11/7/23 07:41, Robert Moskowitz wrote: > > I just checke my draft: > > > > draft-moskowitz-ec-pki/draft-moskowitz-ec-pki > > > > And there are no actual examples. So I looked in my files where I did > > the testing for writing this and here is a 1AR DER: > > > > -----BEGIN CERTIFICATE----- > > MIICYzCCAgmgAwIBAgIIUQ3O0GPrmkYwCgYIKoZIzj0EAwIwWDELMAkGA1UEBhMC > > VVMxCzAJBgNVBAgMAk1JMREwDwYDVQQHDAhPYWsgUGFyazEXMBUGA1UECgwOSFRU > > IENvbnN1bHRpbmcxEDAOBgNVBAMMB1Jvb3QgQ0EwIBcNMTcwODE4MTg0MTExWhgP > > OTk5OTEyMzEyMzU5NTlaMDwxFzAVBgNVBAoMDkhUVCBDb25zdWx0aW5nMRAwDgYD > > VQQLDAdEZXZpY2VzMQ8wDQYDVQQFEwZXdDEyMzQwWTATBgcqhkjOPQIBBggqhkjO > > PQMBBwNCAASDND5LR1ti1BF1Cie7sbvYtPxKA55xDVr6SbUPtfkQlux/3G7ld1f7 > > E6QstR43jNftY2r3Fewa9h+5NVcAkhSZo4HWMIHTMAkGA1UdEwQCMAAwgYkGA1Ud > > IwSBgTB/gBQm/YWlGql/tNedOcaEzHx40Ur/gqFcpFowWDELMAkGA1UEBhMCVVMx > > CzAJBgNVBAgMAk1JMREwDwYDVQQHDAhPYWsgUGFyazEXMBUGA1UECgwOSFRUIENv > > bnN1bHRpbmcxEDAOBgNVBAMMB1Jvb3QgQ0GCCQDyYdUCUKbOqjAOBgNVHQ8BAf8E > > BAMCBaAwKgYDVR0RBCMwIaAfBggrBgEFBQcIBKATMBEGCSsGAQQBtDsKAQQEAQID > > BDAKBggqhkjOPQQDAgNIADBFAiEAz/lrMNjZO+aaGi+sdsmHwSQWJjaEiBnCyJq5 > > 7jiZb3ACIGvMYqqrtgnDPOM/tDQ9UAm2zEzNmrLmGC+6xJDLxqTG > > -----END CERTIFICATE----- > > > > > > See what you get when you cbor it! > > openssl x509 -noout -text -in > /home/rgm/data/ca/8021ARintermediate/certs/Wt1234.cert.pem > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 5840551686194305606 (0x510dced063eb9a46) > Signature Algorithm: ecdsa-with-SHA256 > Issuer: C = US, ST = MI, L = Oak Park, O = HTT Consulting, CN = > Root CA > Validity > Not Before: Aug 18 18:41:11 2017 GMT > Not After : Dec 31 23:59:59 9999 GMT > Subject: O = HTT Consulting, OU = Devices, serialNumber = Wt1234 > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (256 bit) > pub: > 04:83:34:3e:4b:47:5b:62:d4:11:75:0a:27:bb:b1: > bb:d8:b4:fc:4a:03:9e:71:0d:5a:fa:49:b5:0f:b5: > f9:10:96:ec:7f:dc:6e:e5:77:57:fb:13:a4:2c:b5: > 1e:37:8c:d7:ed:63:6a:f7:15:ec:1a:f6:1f:b9:35: > 57:00:92:14:99 > ASN1 OID: prime256v1 > NIST CURVE: P-256 > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Authority Key Identifier: > keyid:26:FD:85:A5:1A:A9:7F:B4:D7:9D:39:C6:84:CC:7C:78:D1:4A:FF:82 > DirName:/C=US/ST=MI/L=Oak Park/O=HTT > Consulting/CN=Root CA > serial:F2:61:D5:02:50:A6:CE:AA > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Subject Alternative Name: > othername: 1.3.6.1.5.5.7.8.4::<unsupported> > Signature Algorithm: ecdsa-with-SHA256 > Signature Value: > 30:45:02:21:00:cf:f9:6b:30:d8:d9:3b:e6:9a:1a:2f:ac:76: > c9:87:c1:24:16:26:36:84:88:19:c2:c8:9a:b9:ee:38:99:6f: > 70:02:20:6b:cc:62:aa:ab:b6:09:c3:3c:e3:3f:b4:34:3d:50: > 09:b6:cc:4c:cd:9a:b2:e6:18:2f:ba:c4:90:cb:c6:a4:c6 > > openssl asn1parse -i -in > /home/rgm/data/ca/8021ARintermediate/certs/Wt1234.cert.pem > 0:d=0 hl=4 l= 611 cons: SEQUENCE > 4:d=1 hl=4 l= 521 cons: SEQUENCE > 8:d=2 hl=2 l= 3 cons: cont [ 0 ] > 10:d=3 hl=2 l= 1 prim: INTEGER :02 > 13:d=2 hl=2 l= 8 prim: INTEGER :510DCED063EB9A46 > 23:d=2 hl=2 l= 10 cons: SEQUENCE > 25:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 > 35:d=2 hl=2 l= 88 cons: SEQUENCE > 37:d=3 hl=2 l= 11 cons: SET > 39:d=4 hl=2 l= 9 cons: SEQUENCE > 41:d=5 hl=2 l= 3 prim: OBJECT :countryName > 46:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US > 50:d=3 hl=2 l= 11 cons: SET > 52:d=4 hl=2 l= 9 cons: SEQUENCE > 54:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName > 59:d=5 hl=2 l= 2 prim: UTF8STRING :MI > 63:d=3 hl=2 l= 17 cons: SET > 65:d=4 hl=2 l= 15 cons: SEQUENCE > 67:d=5 hl=2 l= 3 prim: OBJECT :localityName > 72:d=5 hl=2 l= 8 prim: UTF8STRING :Oak Park > 82:d=3 hl=2 l= 23 cons: SET > 84:d=4 hl=2 l= 21 cons: SEQUENCE > 86:d=5 hl=2 l= 3 prim: OBJECT :organizationName > 91:d=5 hl=2 l= 14 prim: UTF8STRING :HTT Consulting > 107:d=3 hl=2 l= 16 cons: SET > 109:d=4 hl=2 l= 14 cons: SEQUENCE > 111:d=5 hl=2 l= 3 prim: OBJECT :commonName > 116:d=5 hl=2 l= 7 prim: UTF8STRING :Root CA > 125:d=2 hl=2 l= 32 cons: SEQUENCE > 127:d=3 hl=2 l= 13 prim: UTCTIME :170818184111Z > 142:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :99991231235959Z > 159:d=2 hl=2 l= 60 cons: SEQUENCE > 161:d=3 hl=2 l= 23 cons: SET > 163:d=4 hl=2 l= 21 cons: SEQUENCE > 165:d=5 hl=2 l= 3 prim: OBJECT :organizationName > 170:d=5 hl=2 l= 14 prim: UTF8STRING :HTT Consulting > 186:d=3 hl=2 l= 16 cons: SET > 188:d=4 hl=2 l= 14 cons: SEQUENCE > 190:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName > 195:d=5 hl=2 l= 7 prim: UTF8STRING :Devices > 204:d=3 hl=2 l= 15 cons: SET > 206:d=4 hl=2 l= 13 cons: SEQUENCE > 208:d=5 hl=2 l= 3 prim: OBJECT :serialNumber > 213:d=5 hl=2 l= 6 prim: PRINTABLESTRING :Wt1234 > 221:d=2 hl=2 l= 89 cons: SEQUENCE > 223:d=3 hl=2 l= 19 cons: SEQUENCE > 225:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey > 234:d=4 hl=2 l= 8 prim: OBJECT :prime256v1 > 244:d=3 hl=2 l= 66 prim: BIT STRING > 312:d=2 hl=3 l= 214 cons: cont [ 3 ] > 315:d=3 hl=3 l= 211 cons: SEQUENCE > 318:d=4 hl=2 l= 9 cons: SEQUENCE > 320:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic > Constraints > 325:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000 > 329:d=4 hl=3 l= 137 cons: SEQUENCE > 332:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority > Key Identifier > 337:d=5 hl=3 l= 129 prim: OCTET STRING [HEX > DUMP]:307F801426FD85A51AA97FB4D79D39C684CC7C78D14AFF82A15CA45A3058310B3009060355040613025553310B300906035504080C024D493111300F06035504070C084F616B205061726B31173015060355040A0C0E48545420436F6E73756C74696E673110300E06035504030C07526F6F74204341820900F261D50250A6CEAA > 469:d=4 hl=2 l= 14 cons: SEQUENCE > 471:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage > 476:d=5 hl=2 l= 1 prim: BOOLEAN :255 > 479:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 > 485:d=4 hl=2 l= 42 cons: SEQUENCE > 487:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject > Alternative Name > 492:d=5 hl=2 l= 35 prim: OCTET STRING [HEX > DUMP]:3021A01F06082B06010505070804A013301106092B06010401B43B0A01040401020304 > 529:d=1 hl=2 l= 10 cons: SEQUENCE > 531:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 > 541:d=1 hl=2 l= 72 prim: BIT STRING > > openssl asn1parse -i -strparse 492 -in > /home/rgm/data/ca/8021ARintermediate/certs/Wt1234.cert.pem > 0:d=0 hl=2 l= 33 cons: SEQUENCE > 2:d=1 hl=2 l= 31 cons: cont [ 0 ] > 4:d=2 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.8.4 > 14:d=2 hl=2 l= 19 cons: cont [ 0 ] > 16:d=3 hl=2 l= 17 cons: SEQUENCE > 18:d=4 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.6715.10.1 > 29:d=4 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:01020304 > > Bob > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose > <https://www.ietf.org/mailman/listinfo/cose> >
- [COSE] 802.1AR example Robert Moskowitz
- Re: [COSE] 802.1AR example Robert Moskowitz
- Re: [COSE] 802.1AR example Robert Moskowitz
- Re: [COSE] 802.1AR example Göran Selander
- Re: [COSE] 802.1AR example Esko Dijk
- Re: [COSE] 802.1AR example Robert Moskowitz
- Re: [COSE] 802.1AR example Robert Moskowitz